Re: Chromium's support for CORS and UMP

On 5/10/10 10:21 PM, Nathan wrote:
> 2: Implement a user UI confirmation screen to allow JS applications xhr
> access to other origin resources. (Similar to the allow desktop
> notifications scenario in chromium)

Under what conditions would the typical user be able to make an informed 
decision here?

> 3: Standardise a way of having signed scripts that are trusted (like
> mozilla have implemented)

Mozilla is removing signed script support.  It leads to too much 
complexity, is disabled by default for users anyway, etc.

> Ideally, a long term shift towards global access unless denied by CORS
> would be an ideal solution (imo), typically corporate sys admin's will
> be a bit more up to speed when it comes implementing security features
> than joe public, and quite sure that a security bulletin + a bit of
> coverage around the web would get the information in to the right hands

You're being _way_ too optimistic about this.  "corporate sys admins" 
are still using HTML blacklists in HTML filters on a routine basis, 
after years of education attempts...

> Surely we can't be dependent on CORS indefinitely, perhaps some form of
> planned path as to how CORS might be phased out?

CORS is only needed if you want to perform actions cross-site with the 
user's credentials on the other site, right?  For that use case, I would 
in fact expect us to depend on CORS indefinitely.

-Boris

Received on Tuesday, 11 May 2010 02:46:13 UTC